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The Process Monitor (ProcMon) tool is used to track the various processes activity in the Windows operating system. 
This utility allows you to show how processes access files on disk, registry keys, remote resources, etc. in real-time. 


The ProcMon combines the capabilities of two legacy Sysinternals utilities at once — FileMon and RegMon. 
With Process Monitor, you can: 


a Track the startup and shutdown events of processes and threads, including information about the exit code; 

a Collect data on the parameters of input and output operations; 

a Set filters to display only the necessary information. For example, about the actions of a specific process, 
access to a specific file or a registry key; 


a Log all operations during system boot (starting processes, services). This is useful for diagnosing slow 


Windows boot. 


ProcMon is not a built-in system utility, so you must download it manually from the Microsoft website. Process 
Monitor does not require installation. Extract the archive and run the procmon.exe (procmon64.exe) executable file as 


an administrator. 


When you start Process Monitor for the first time, a license agreement (EULA) appears on the screen that requires 


user confirmation. 
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Run as user without UAC privilege elevation 


When ProcMon starts, it installs a special system driver PROCMON20.SYS. It intercepts system function calls for the 


following operations: access to the file system, registry, process activity, network connections. 


Using Process Monitor to Track File and Registry Changes 


In this article, we will show how to track accesses and changes to files and registry on your local computer using 


Process Monitor. 


Let's say, you need to track access to the registry key HKEY_CURRENT_USER\Software\test and file 


c:\ps\procmon_example.txt. 


When Process Monitor starts, it begins capturing all events according to the default filters. 


ADVERTISEMENT 


Stop capturing events by unchecking the option File > Capture Events (Ctrl+E) and clear the current ProcMon log (Edit 


> Clear Display). 
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Now you need to configure the Process Monitor filters (Filter > Filter). The filters allow you to specify various criteria 


for events to be added or excluded from the monitoring. 


The default filter already excludes events of a standard Windows system activity and the procmon.exe process itself. 


In most cases, you don't need to remove these filters. We'll add some additional filters. 


Create a filter for monitoring access to the registry key: Path > contains > \SOFTWARE\test > Include. Click Add to 


add a new filter to the list. 
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Now add a file access event filter: Path > is > c:\ps\procmon_example.txt > Include. 


Make sure the following options are enabled in the ProcMon toolbar: Show Registry Activity, Show File System 


Activity. The Show Network Activity and Show Process, and Threads Activity options can be disabled. 
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Start event monitoring File > Capture Event. 


As an example, let’s create a reg parameter key in the specified registry key using the command prompt: 


reg add hkcu\software\test /v Path /t REG_EXPAND SZ /d “%systemroot*% 


Then, let's write some data into the procmon_example. txt file using the command line: 


echo %date%>>c:\ps\procmon_example.txt 


And using PowerShell: 
Get-Process|out-file C:\ps\procmon_example.txt 


Switch to the ProcMon window. As you can see, it contains events for creating a registry key by the reg.exe process 
(Operation > RegCreateKey). It also contains events of creation (Create File) and writing to a file (WriteFile) by the 


processes cmd.exe and powershell.exe. 


The list of events contains the system process msmpeng.exe (Antimalware Service Executable). This is the core 
process of the antimalware detection engine in Windows Defender. To exclude the events of this process from the 


ProcMon log, right-click on the process name msmpeng.exe and select Exclude “....”. 


This process will be added to the ProcMon filter with the Exclude value. It means that the ProcMon log won't display 


any activity from this process. 


In this way, exclude any other trusted processes that are accessing your file or registry key. Now, if any process 


running on Windows tries to read or write to a tracking file or registry key, you will see this event in Process Monitor. 


66 Hints. Running Process Monitor can negatively affect the performance of your computer. Regardless of 
the filters configured, it stores all events in RAM (even if they are not displayed in the window). If ProcMon 


has been running for a long time, it may take up all the available RAM. You can configure ProcMon to store 
events not in virtual memory but in a file on disk. To do this, select the File > Backing Files > Use File 
named, and specify the file name. If you want ProcMon to save only the events that match your filters and 


drop all the others, enable the option Filter > Drop Filtered Events. 


For example, you want to monitor only write events to a file. Click in the ProcMon window on the line with the 


WriteFile operation type, and add this event to the Include filter. 


Thus, any object or event in ProcMon can be added to the filters, so that the minimum set of events that you need to 


analyze access to a file or registry are displayed in front of you. 
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Thanks for this tutorial Cyril! What if my goal is to log all events of a certain type whenever the computer 
is running, so the log file will act as a complete history of changes? 

Will creating a filter like this persist across reboots? If not, is there a way to create the filter 
programmatically, so | can set it as a startup task? 

P.S. You mentioned a performance impact to RAM if Procmon runs with a filter for a long time, so my plan 
was to drop filtered events to a daily log file. Is this still a bad idea? Will my plan just produce massive 
text files that will fill up my storage? 

Thanks! 
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